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Information Systems Audits 

Information Systems (IS) audits conducted by the Legislative 
Audit Division are designed to assess controls in an IS 
environment. IS controls provide assurance over the accuracy, 
reliability, and integrity of the information processed. From 
the audit work, a determination is made as to whether controls 
exist and are operating as designed. We conducted this IS audit 
in accordance with generally accepted government auditing 
standards. Those standards require that we plan and perform 
the audit to obtain sufficient, appropriate evidence to provide a 
reasonable basis for our findings and conclusions based on our 
audit objectives. We believe that the evidence obtained provides 
a reasonable basis for our finding and conclusions based on our 
audit objectives. 

Members of the IS audit staff hold degrees in disciplines 
appropriate to the audit process. Areas of expertise include 
business, accounting, information technology, computer science, 
mathematics, political science, and communications. 

IS audits are performed as stand-alone audits of IS controls or 
in conjunction with financial-compliance and/or performance 
audits conducted by the office. These audits are done under the 
oversight of the Legislative Audit Committee which is a bicameral 
and bipartisan standing committee of the Montana Legislature. 
The committee consists of six members of the Senate and six 
members of the House of Representatives. 
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The Legislative Audit Committee 
of the Montana State Legislature: 

We conducted an information systems audit of security over Montana Lottery operations. 
Montana law requires the Legislative Audit Division perform a comprehensive security 
audit of the Montana Lottery every two years. We reviewed security controls within the 
18 areas defined in statute, including the Montana Lottery's computer systems, scratch 
and online tickets, and personnel and sales agents. 

This report contains three recommendations for strengthening controls including: 
strengthening policy; monitoring security systems; and data collection. 

We wish to express our appreciation to the Montana Lottery for their cooperation and 
assistance during the audit. 



Respectfully submitted, 

hi Tori Hunthausen 

Tori Hunthausen, CPA 
Legislative Auditor 
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Report Summary 



Strong security controls are essential to ensure the safety and integrity of the 
Montana Lottery and its games, employees and contractors. Security controls 
are in place in the areas outlined by statute! however, we identified areas where 
controls can be strengthened, and where adherence to existing controls can be 
improved. 



Context 

The Montana Lottery was created in 1987. In its 
first quarter-century the Montana Lottery has 
transferred nearly $200 million to various state 
programs and to the general fund, where its net 
revenues are currently deposited. Its operations 
are funded by the sale of Montana Lottery 
tickets, which include scratch tickets; online 
tickets for drawing games such as Powerball 
and Montana Cash; and online instant-play 
games, a relatively new form of game for the 
Montana Lottery. Tickets are sold by licensed 
sales agents across the state, either in person 
as traditional retail counter transactions, or 
increasingly via vending-style self-service 
machines. These machines are typically located 
in supermarkets and taverns. 

Montana law requires the Legislative Audit 
Division to perform a comprehensive security 
audit of the Montana Lottery every two 
years. Auditors reviewed the 18 security 
areas as defined in §23-7-411, MCA. Testing 
included evaluating Montana Lottery against 
Montana statute, Multi State Montana Lottery 
Association (MUSL) regulations, Montana 
Lottery internal security procedures, and 
industry best practices. 



Results 

Overall, security controls are in place in 
the areas outlined by statute; however, we 
identified areas where controls can be 
strengthened, and where adherence to 
existing controls can be improved. Areas for 
improvement include: 

♦ Enhancing and adhering to the 
Montana Lottery's Employment of 
Relatives Policy, 

♦ Increasing familiarity with and efficient 
utilization of existing security systems, 
and 

♦ Collecting and analyzing data related 
to prize claims by licensed sales agents 
and their employees. 



Recommendation Concurrence 


Concur 


3 


Partially Concur 





Do Not Concur 





Source: Agency audit response included in 
final report. 



For a complete copy of the report (13DP-01) or for further information, contact the 
Legislative Audit Division at 406-444-3122; e-mail to lad(g)int.g ov; or check the web site at 

http://leg.mt.gov/audit 
Report Fraud, Waste, and Abuse to the Legislative Auditor's FRAUD HOTLINE 

Call toll-free 1-800-222-4446, or e-mail ladhotlinetamt.g ov. 



Chapter I - Introduction and Background 

Introduction 

Following a statewide ballot referendum in 1986, the Montana Lottery was created 
in 1987. Net revenues are generated through the sale of various types of Montana 
Lottery tickets, and transferred to the state's general fund. In its history the Montana 
Lottery has generated nearly $200 million for various state programs. In fiscal year 
2012, the Montana Lottery had sales of $52.6 million and transferred $13.1 million to 
the general fund. 

Background 

The Montana Lottery is an enterprise fund of the Department of Administration. Its 
Director is appointed by the Governor. The Governor also appoints a five-member 
Commission that oversees the operations of the Montana Lottery, sets policy, and 
determines the type and form of Montana Lottery games. Members serve staggered 
four-year terms. The Director administers the day-to-day operations of the Montana 
Lottery. The Montana Lottery is organized into four main areas: 1) administration 
and finance, 2) marketing, 3) security, and 4) information technology. The Montana 
Lottery's security section includes a Director of Security and a Criminal Investigator. 
Security affects each area of the operation, and includes security of facilities, personnel, 
computer systems, and general operations. 

Montana Lottery tickets are sold at approximately 900 retail locations around 
Montana. Tickets fall into one of three categories: scratch tickets; online tickets 
(Powerball, etc.); and online instant-play games. Scratch and online drawing tickets are 
sold either over-the-counter in a traditional retail exchange or via self-service vending- 
style machines. Online instant-play games, introduced in late 2011, are sold exclusively 
through self-service terminals installed in bars and casinos across the state. For any 
Montana Lottery game, retailers can validate and pay out any prizes up to $599. Prizes 
of $600 or more must be paid through the Montana Lottery office in Helena, either in 
person or through the mail. 

The Montana Lottery is a member of the Multi State Lottery Association (MUSL), a 
nonprofit association owned and operated by its member lotteries. Each member offers 
one or more lottery games administered by MUSL such as Powerball or Mega-Millions. 
MUSL requires member lotteries to operate both a games management system (CMS) 
to manage online and scratch games, and an Internal Control System (ICS) as a check 
and balance against ticket sales recorded in the CMS. 
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Montana's GMS is currently operated by a third-party vendor. The vendor developed, 
maintains, and operates the GMS as well as installing and maintaining sales terminals 
and self-service vending machines at retail locations throughout the state. Montana 
Lottery personnel interface with the GMS through the Back Office System (BOS) 
to manage operations. The ICS, which is required by MUSL, was developed and is 
maintained by a separate third party vendor. It also records all Montana Lottery sales 
and drawing information and is used to ensure the GMS is reporting accurately. These 
systems are part of Montana Lottery operations and thus are included within our 
security audit. 

Audit Scope and Objective 

Statute requires the Legislative Audit Division to perform a comprehensive security 
audit of the Montana Lottery every two years and specifically defines areas to be 
included. The 18 security areas as defined in §23-7-411, MCA, include: 

♦ personnel security 

♦ sales agent security 

♦ contractor security 

♦ security of manufacturing operations of contractors 

♦ security against ticket or chance counterfeiting and alteration, and other 
means of fraudulently winning 

♦ security of drawings among entries or finalists 

♦ computer security 

♦ data communications security 

♦ database security 

♦ systems security 

♦ premises and warehouse security 

♦ security in distribution 

♦ security involving validation and payment procedures 

♦ security involving unclaimed prizes 

♦ security aspects applicable to each particular game 

♦ security of drawings in games whenever winners are determined by drawings 

♦ the completeness of security against locating winners in games with 
preprinted winners by persons involved in their production, storage, 
distribution, administration, or sales 

♦ any other aspects of security applicable to any particular Montana Lottery 
game and to the Montana Lottery and its operations 



Our audit included a review of Montana Lottery operations to determine which areas 
our audit work should focus on. Since we conduct an audit on a regular basis, we 
re-evaluate operations and review those aspects of operations that present the most risk 
from a security perspective. Our objective was to determine whether Montana Lottery 
has controls in place within the 18 statutory areas and whether those controls function 
as expected. 

Methodolog y 

To accomplish our objective, we performed audit work under each statutorily defined 
area. Work included interviews with agency and vendor personnel; observation of 
facilities and systems in place for Montana Lottery and its vendors; testing of identified 
controls; review of agency and vendor policies, procedures and security records; and 
research of and contact with other states for comparative information. 

More specifically, testing included evaluating Montana Lottery against MUSL 
regulations, Montana Lottery internal security procedures, and industry best practices. 
To ensure our objective was met, we observed daily operations, interviewed Montana 
Lottery personnel, and determined if documentation was maintained and reviewed. 
We reviewed employee and contractor procedures including background and/or credit 
checks. We evaluated employee and contractor access to facilities, systems, and data. 
We observed instant ticket stock distribution procedures and identified controls. 
Finally, we reviewed computer systems and network configurations and system reports. 

Prior Audit Recommendations 

The Legislative Audit Division conducted a similar audit in 2010, which resulted in 
five recommendations for strengthening security controls. Our work for this audit 
included reviewing actions taken by the Montana Lottery to incorporate these 
recommendations into business practices. The recommendations included changes to 
controls within the GMS and ICS systems, and strengthening processes related to 
control of the keys to the in-house ticket vending machine. Based on our review, the 
Montana Lottery has implemented all five recommendations. 

Conclusion 

Based on audit work conducted, security controls are in place in the areas outlined by 
statute. However, we identified areas where controls can be strengthened to improve 
security and help ensure the integrity of the Montana Lottery's operations. These areas 
are discussed in Chapter II. 
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Chapter II - Findings And Recommendations 

Introduction 

Montana Lottery operations are governed by statute, Multi-State Lottery Association 
(MUSL) rules, state information technology policies, and internal security policies. 
Audit work focused on the Montana Lottery's existing controls related to the statutorily 
defined audit categories. This report contains three recommendations for strengthening 
security controls, including enhancing and adhering to the Employment of Relatives 
Policy; increasing the familiarity with and efficient utilization of several existing 
security systems; and collecting and analyzing data on retailers and their employees 
who claim Montana Lottery prizes. 

Employment of Relatives Policy 

Since its last security audit in 2010, the Montana Lottery has implemented an 
Employment of Relatives Policy that addresses many of the areas recommended 
by human resource professionals. This is a positive step by the Montana Lottery to 
acknowledge the need for addressing situations that may arise when people employed 
by the Montana Lottery and its contractors are related. However, due to added security 
concerns unique to the Montana Lottery and the importance for the Montana Lottery 
to maintain integrity in both fact and appearance, its Employment of Relatives Policy 
should specifically address significant security controls, such as segregation of duties 
among relatives working for the Montana Lottery and its contractors. Montana 
Operations Manual, section 399 addresses segregation of duties; however, the Montana 
Lottery's policy on employment of relatives is not clear on this being one of the most 
important elements of internal control. 

There are currently two examples of relatives being employed by the Montana Lottery 
and its primary contractor. These situations involve employees who are in positions 
with security, management, and information technology. Specifically, one relationship 
involves a security position within the Montana Lottery and a management position 
with the contractor. The other relationship involves an information technology 
employee of the Montana Lottery and a manager for the contractor. 

Audit work revealed that the policy's requirement that relatives are at no time allowed 
to make decisions, recommendations, or judgments related to . . . "the assignment or 
direction of work assignments" is not always followed by members of Montana Lottery 
staff. We observed an instance of an employee of the Montana Lottery directing the 
work of a relative employed by the contractor. We also noted that Montana Lottery 
management was not aware that the policy was not always followed. 



13DP-01 



Montana Legislative Audit Division 



While we did not identify any inappropriate activities, the instance of the Montana 
Lottery employee directing the actions of a relative was noncompliance with policy. 
Management should ensure compliance with policies. Lack of proper control regarding 
family relationships could lead to either accidental or purposeful actions which are 
inappropriate and/or fraudulent. Public perception of the Montana Lottery could be 
negatively impacted if issues occur as a result of interactions between family members. 

The previous security audit included a discussion with Montana Lottery administration 
about documenting their considerations and routinely monitoring the combined 
access of family members. The Montana Lottery's Employment of Relatives Policy is 
a step toward establishing appropriate controls over the employment of related people. 
However, policy is not clear on the issues of segregation of duties and documentation 
of existing relationships, which are important for ensuring the security of operations. 
Additionally, ongoing monitoring of staff's adherence to policy should be part of 
operations. Subsequent to our audit work the Montana Lottery updated its policy and 
documented existing relationships. 



Recommendation #1 

We recommend the Montana Lottery: 

A. Strengthen its Employment of Relatives Policy to more specifically 
address segregation of duties and documentation of specific 
relationships. 

B. Conduct ongoing monitoring of employee compliance with policy. 



Monitoring of Security Systems 

Montana Lottery premises and warehouse security is a statutorily mandated area of 
examination for each security audit. We observed several security controls over access 
to the building and certain areas within it. We also examined the systems that monitor 
access to various parts of the building, and compared employee job descriptions with 
the level of access afforded to determine whether employees have appropriate access 
based upon their job duties. Audit work noted that physical security of the Montana 
Lottery building and various rooms and areas therein is generally good and employee 
access is appropriately assigned, although regular monitoring of security systems could 
be improved. 



The Montana Lottery has operated out of the same building since its inception. The 
facility includes offices; a secure drawing room, containing computers that conduct 



daily and weekly drawings; a warehouse, where scratch ticket inventory is kept until it 
is shipped to retailers or sales reps; and a server room, which contains the computers 
that maintain sales and drawing data for all MUSL games (Powerball, etc.). The 
Montana Lottery has implemented security systems to control and monitor access to 
all areas within the facility. 

Security Cameras 

Auditors observed the Montana Lottery's network of security cameras and noted it 
provides live video coverage of most key areas of the building. The system also maintains 
digital recordings of all video feeds. Auditors moved about the building, then asked 
Montana Lottery security staff to replay the video of this movement. While it was 
apparent the system was recording and archiving video footage for several months, 
staff had difficulty identifying the specific recorded footage. This indicated to auditors 
that security staff is not reviewing video enough to be familiar with the process. 

Facility Access 

The Montana Lottery also maintains a key card/passcode system for entry into and 
within the building. An enhanced alarm system exists in certain areas, and the 
Montana Lottery receives a monthly report of each time each of the alarms were armed 
or disarmed. During the audit, auditors were given key cards to access the office area 
during regular business hours. As part of testing, auditors attempted to access areas 
they were not authorized to access and were unsuccessful. In addition, we reviewed 
the system that records each key's access to the building. We tried our keys both 
successfully and unsuccessfully at various doors, then had Montana Lottery security 
staff review the log of that day's building access and we noted both successful and 
unsuccessful attempts to use our keys had been accurately recorded. However, security 
staff could not produce a key-specific report showing each time a particular key had 
been used on any door in the building. Staff cited computer issues and incompatibility 
with the software that records the door access. In addition, security staff indicated the 
company that created the software for the system was out of business and thus they 
could not obtain assistance with system problems. This indicated that security staff 
had lost the capability to review building access records on a regular basis, but had not 
taken action to correct this limitation. The vendor operating the Montana Lottery's 
game management system uses the same key/passcode system at its facility, and the 
contractor is able to routinely run access reports to determine who has accessed the 
building, which areas of the building were accessed, and at what times of day. 

Based on these two examples - archived video footage and data on the use of keycards 
to access the building - we concluded while appropriate security information is being 
collected and stored, the ability of Montana Lottery personnel to access, review, and 
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analyze this information is limited. Montana Lottery personnel are not regularly 
reviewing the data collected regarding who is attempting to access the building, 
at what times, and at which doors. Inability to fully integrate all security tools and 
regularly review all collected data at the disposal of security personnel can lead to 
security risks. For example, employees and other individuals entering the Montana 
Lottery facility may be attempting to access areas that are off-limits, which is not an 
acceptable practice and could lead to successful access to restricted areas. 

The Montana Lottery has a policy in place outlining the various levels of access to 
the building that will be granted to people with specific job duties. This building 
access policy does not address monitoring/enforcement of appropriate building access. 
In addition, Montana Lottery security policies do not specifically address regular 
or ongoing review of data collected by various electronic security systems including 
documentation of results of reviews. However, job descriptions for both the Director of 
Security and the Criminal Investigator stipulate ongoing monitoring and maintenance 
of various security systems. 



Recommendation #2 

We recommend the Montana Lottery ensure ongoing monitoring of security 
aspects of the operation. 



Data Collection 

Montana Lottery tickets are sold by licensed sales agents located throughout Montana. 
These sales agents include small mom-and-pop stores, convenience stores, supermarkets, 
casinos, and bars. As part of our security review, audit work included determining 
what if any data is collected regarding individuals who claim Montana Lottery prizes, 
including licensed sales agents and their employees. Collecting such information can 
help identify potentially inappropriate prize claims. 



During our review of lottery operations in other states, we noted instances where these 
other states identified fraudulent activities conducted by sales agents or their affiliates 
including theft of winning tickets by employees. Lotteries in several surrounding states 
collect information from prize claimants on whether or not they are affiliated in any 
way with licensed sales agents. Of the 44 states offering lottery games, we examined 
the winner claim forms for 36 states. We identified 17 states, including Montana's 
neighboring states, that ask prize claimants whether they are lottery retailers, or some 
variation of that question. We contacted personnel within several states to inquire 



about practices for collecting and analyzing winner data. In response to our query, 
one neighboring state official said their state started collecting this information after 
several incidents of fraud in recent years involving lottery retailers in other states and 
Canadian provinces. This representative further said that while there was no evidence 
of retailer fraud in their state that led officials to implement the practice, officials 
believed that for the security and integrity of their lottery, it was in their best interest to 
proactively collect this data. We received similar responses from other states. 

In Montana, licensed sales agents and their employees are not prohibited from playing 
and winning Montana Lottery games. A review of Montana Lottery press releases 
announcing winners of major prizes identified several instances where the winner was 
an employee of the retail location where the winning ticket was purchased. However, 
the Montana Lottery does not routinely collect any information from its prize claimants 
regarding whether or not they are licensed retailers or their employees. 

Our review of practices in other states indicated almost half of the lotteries we 
reviewed collect prize claim information on retailers and their affiliates. Collecting and 
analyzing information on licensed sales agents and their employees claiming lottery 
prizes would allow the Montana Lottery to gain awareness of potential threats to its 
games' security and integrity. The purpose of implementing a system of proactive 
checks and balances is to reduce the potential for fraud and theft, and help increase the 
chances that inappropriate claims will be detected. The Montana Lottery maintains a 
listing of sales agents and prize winners, and could cross-check these lists to determine 
how frequently its retailers are winning prizes. The Montana Lottery could also amend 
its Prize Claim Form to ask claimants whether they are employees of licensed sales 
agents. This data could then be analyzed on an ongoing basis to help identify recurring 
winners and potential anomalies. 

Montana Lottery officials told us they trust the integrity of Montana's retailers. 
While §23-7-202(7) and (10), MCA, authorize the Montana Lottery Commission 
to study other states for best practices and establish rules to make operations more 
secure, Montana Lottery officials do not believe they can legally investigate situations 
identified as a result of collecting and analyzing this type of information without 
explicit statutory authority. However, collecting and analyzing prize claim information 
is the first step toward strengthening operations. 
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Recommendation #3 



We recommend the Montana Lottery collect and analyze data regarding prize 
claims by licensed sales agents and tlieir employees. 



Montana Lottery 
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Montana 
LOTTERY 

For the fun of it! 2525 N. Montana, Helena, MT 59601 • P; 406-444-5825 • F: 406-444-5830 



May 17,2013 ^^^^ 






Ms. Tori Hunthausen '^^t-Ji 

Legislative Auditor ■^^iJA/ 

Office of the Legislative Auditor ^ 

State Capitol Building 
Helena, MT 59620-1705 

RE: Response to 2013 Montana Lottery Security Audit 

Dear Ms. Hunthanusen: 

Thank you for the opportunity to respond to the report on Montana Lottery Security 
Audit dated May 17, 201 3. The Montana Lottery appreciates the service your staff 
provided in reviewing its security operations. 

The Montana Lottery concurs with the audit findings and recommendations. We have 
taken or will take the necessary action to comply with all recommendations. 

The following is in response to specific recommendations of the audit team. 



RECOMMENDATION #1: We recommend the Montana Lottery: 

A. Strengthen its Employment of Relatives Policy to more specifically address 
segregation of duties and documentation of specific relationships. 

B. Conduct ongoing monitoring of employee compliance with policy. 

The Montana Lottery concurs with both sections of this finding and has updated its policy 
and monitoring procedures regarding the conclusions noted. 



RECOMMENDATION #2: We recommend the Montana Lottery ensure ongoing 
monitoring of security aspects of the operation. 

The Montana Lottery concurs with this finding and will update procedures. The Lottery 
has requested grant money from Risk Management and Tort Defense, which will allow 
for upgrades to its security systems. These upgrades will make the systems compatible 
with newer software packages, provide reporting capabilities, and provide for better 
video tracking abilities. The Lottery was notified on April 30, 2013, that the grant 
request was approved for fiscal year 2014. 



www.montanalottery.com 
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RECOMMENDATION #3: We recommend the Montana Lottery collect and 
analyze data regarding prize claims by licensed sales agents and their employees. 

The Montana Lottery concurs with this finding and will develop procedures to meet the 
intent of the recommendation. However, since the Lottery currently retains no statutory 
or rule authority for requesting employment questions on the claim forms, a rule change 
request will need to be submitted for approval to Lottery Commissioners prior to full 
implementation. Even with a rule change, the Montana Lottery will be restricted from 
taking direct legal actions should questionable activity be discovered unless the Lottery 
and Theft sections of the MCA's are changed accordingly in the upcoming 2015 
Legislative Session. Prosecutions even if we did discover criminal activity without 
changing the MCA's will most likely not materialize. 

The Montana Lottery does actively take assertive approaches regarding the identification 
of criminal activity. We currently utilize various reports in the gaming system, such as 
retailer ranking data, ticket shipment tracking, and claim data to establish potential 
criminal patterns involving our licensed retailers. These reports are pulled by seasoned 
individuals on the staff who are very proficient at identifying a potential theft situation 
that will require further follow-up investigation by Lottery Security. 

Thank you again for the opportunity to respond. Your team established a good rapport 
with our office and showed strong professional knowledge and personal professionalism 
while working in our area. Please express my appreciation of these facts to them for their 
efforts. 



Sincerely, 



bincerely, 

A^em Wc4g/Director i 




Montana Lottery 

cc: John Tarr, Security Director 
Montana Lottery 
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